Most memory vulnerabilities are use-after-free which due to the nature of C is a very easy mistake to make.

Buffer overflows are simple inexcusable, especially if its "we didn't bother checking" rather than "we got the size wrong due to human error".

The first case is not normal, people like that should not be programming HTML let alone C code.